Kindly find attached our reminder and copy of the relevant invoices.Looking forward to receive your prompt payment and thank you in advance.

Kind regards

The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D820AEB9ECEBC26B3CDE960728E890F90433A8CBE7B75B20B5EA1069E3E2A13D803973E29F7BDC7903FFCB596B10F9FD547019D711AE0E2FEDEE25EAA3341CFB7F949816F4DF724E690690B3C8AD3871D49CDEFFBAC7B79302D309404E6F3068C4B5C2393D44D8E0C94D04E2D159AE8776B84D52F59AEC53B8D7FA109D256FCB6BCA5E8A531A8EE24B15FC7B2A66502042E99216D829C632DF24ECAD9162AF654CEC1AD4316DBA799EF2E2440E715CD5F5F4B5B0AE85F27E0A475BD359F5BE76E8F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C0159AFECFAA484C66F2DD11F2D7E9DC4816838F0A8D3FCBD0DDB2F8E8D236D17957